Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can I check who the heavy T1 users are?

Hi all - I have a WAN connection using a full T1 betwenn a 3640 running 11.1(7)AX and a 1721 running 12.2(8)YJ

When the T1 gets saturated, is there any simple way on the routers to find out who the big consumers are - by address or service?

Many thanks.



Re: Can I check who the heavy T1 users are?


you can use NBAR protocol discovery, which will give you byte and packet counters for each known or customer defined protocol. This will allow you to hunt down the applications/service causing the most load. You can even filter the output for the top-n talkers.

Have a look at "Network-Based Application Recognition" for a description, what NBAR is and can do for you.

The configuration in your case would look like this:

ip cef

interface Serial0/0

ip address ...

ip nbar protocol-discovery

To investigate the results use " show ip nbar protocol-discovery"

A full blown picture of what is going on can be obtained by NetFlow. It might just be a little too complex in your case.

Hope this helps! Please rate all posts.

Regards, Martin

New Member

Re: Can I check who the heavy T1 users are?

I use IP accounting on the LAN interface to give me at least a running total by IP address. I to am trying to narrow down usage on a couple T1s. The only draw back is that I have cut and paste into notepad then open with excel to create a chart / graph of teh utilization. I am looking into the netwlof as recommended but one needs a server or something to process the netflow information from the router.

New Member

Re: Can I check who the heavy T1 users are?

Hello Dave,

Another option is to enable netflow on your interface(s) for accounting as well.


int Eth0/0

ip address

ip route-cache flow

router#sh ip cache flow

IP Flow Switching Cache, 278544 bytes

64 active, 4032 inactive, 19738309 added

317365869 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

last clearing of statistics never

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

TCP-Telnet 1237 0.0 57 45 0.0 14.5 11.9

TCP-FTP 21551 0.0 18 58 0.0 6.1 7.9

TCP-FTPD 10777 0.0 176 586 0.4 1.0 1.7

TCP-WWW 8797599 2.0 15 344 30.8 5.3 4.8

TCP-SMTP 533300 0.1 10 268 1.2 3.3 5.8

TCP-X 205 0.0 1 60 0.0 0.4 14.9

TCP-BGP 13 0.0 1 52 0.0 0.1 15.1

TCP-NNTP 12 0.0 1 53 0.0 0.7 15.3

TCP-other 6317209 1.4 22 293 33.8 3.8 7.4

UDP-DNS 472640 0.1 23 63 2.6 20.2 15.4

UDP-NTP 1192084 0.2 1 76 0.2 0.0 15.4

UDP-TFTP 24 0.0 43 101 0.0 418.9 13.8

UDP-Frag 4 0.0 255 430 0.0 111.5 15.4

UDP-other 2052162 0.4 16 104 7.8 9.0 15.4

ICMP 339428 0.0 2 110 0.1 1.7 15.4

Total: 19738245 4.5 16 286 77.3 5.1 7.8

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Et0/0 Mu1 06 04A3 0050 34

Et0/0 Mu1 06 04AD 0050 25

Et0/0 Mu1 06 04AC 0050 30

Et0/0 Mu1 06 04AB 0050 23

Et0/0 Mu1 06 04A2 0050 22

Et0/0 Mu1 06 04C2 0050 6

Et0/0 Mu1 11 0AFD 0540 1

Et0/0 Mu1 06 0CEC 01BB 1

Et0/0 Mu1 11 007B 007B 1

Et0/0 Mu1 06 09BB 0050 2

Et0/0 Mu1 11 007B 007B 1

Et0/0 Mu1 11 007B 007B 1

Check the documentation for your version of IOS on other options for configuring netflow.


New Member

Re: Can I check who the heavy T1 users are?

Netflow is definitely the way to go. You'll get the most level of detail and won't sacrifice much CPU to get it like with NBAR.

One thing to keep in mind is in interpreting the results, you'll need to identify the protocol and port numbers in hex, and convert to decimal. One easy way to do this in windows is to open Calc and go into Scientific mode. Select Hex, input the number, and select Dec, it'll do the conversion for you.

For protocols, 6 TCP, 1 is ICMP, 17 (base 10) / 11 (base 8) is UDP. For others refer to:


Re: Can I check who the heavy T1 users are?

I will combine NBAR and Netflow. After enable NBAR, you can use the following command to know the top protocols in use on the network.

sh ip nbar PROtocol-discovery top-n 5 (for the top 5)

Then you find out the port numbers of the protocols using

sh ip nbar port-map

Knowing the port number, the output of netflow can be filtered to know which ip addreses are using this protocol. Remember to convert the port numbers to hexadecimal

show ip cache flo | include .

Hence you have both the top protocols and the top ip addresses.